idnits 2.17.1 draft-ietf-tsvwg-sctp-auth-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 19. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 776. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 787. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 794. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 800. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 22, 2007) is 6305 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: 'RFCXXXX' on line 601 == Unused Reference: '1' is defined on line 697, but no explicit reference was found in the text == Unused Reference: '7' is defined on line 717, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 1321 (ref. '1') ** Downref: Normative reference to an Informational RFC: RFC 2104 (ref. '2') ** Obsolete normative reference: RFC 2434 (ref. '4') (Obsoleted by RFC 5226) ** Obsolete normative reference: RFC 2960 (ref. '5') (Obsoleted by RFC 4960) -- Possible downref: Non-RFC (?) normative reference: ref. '7' -- Possible downref: Non-RFC (?) normative reference: ref. '8' Summary: 5 errors (**), 0 flaws (~~), 4 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Tuexen 3 Internet-Draft Muenster Univ. of Applied Sciences 4 Intended status: Standards Track R. Stewart 5 Expires: July 26, 2007 P. Lei 6 Cisco Systems, Inc. 7 E. Rescorla 8 RTFM, Inc. 9 January 22, 2007 11 Authenticated Chunks for Stream Control Transmission Protocol (SCTP) 12 draft-ietf-tsvwg-sctp-auth-07.txt 14 Status of this Memo 16 By submitting this Internet-Draft, each author represents that any 17 applicable patent or other IPR claims of which he or she is aware 18 have been or will be disclosed, and any of which he or she becomes 19 aware will be disclosed, in accordance with Section 6 of BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF), its areas, and its working groups. Note that 23 other groups may also distribute working documents as Internet- 24 Drafts. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 The list of current Internet-Drafts can be accessed at 32 http://www.ietf.org/ietf/1id-abstracts.txt. 34 The list of Internet-Draft Shadow Directories can be accessed at 35 http://www.ietf.org/shadow.html. 37 This Internet-Draft will expire on July 26, 2007. 39 Copyright Notice 41 Copyright (C) The IETF Trust (2007). 43 Abstract 45 This document describes a new chunk type, several parameters and 46 procedures for SCTP. This new chunk type can be used to authenticate 47 SCTP chunks by using shared keys between the sender and receiver. 48 The new parameters are used to establish the shared keys. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 3. New Parameter Types . . . . . . . . . . . . . . . . . . . . . 3 55 3.1. Random Parameter (RANDOM) . . . . . . . . . . . . . . . . 4 56 3.2. Chunk List Parameter (CHUNKS) . . . . . . . . . . . . . . 4 57 3.3. Requested HMAC Algorithm Parameter (HMAC-ALGO) . . . . . . 5 58 4. New Error Cause . . . . . . . . . . . . . . . . . . . . . . . 7 59 4.1. Unsupported HMAC Identifier error cause . . . . . . . . . 7 60 5. New Chunk Type . . . . . . . . . . . . . . . . . . . . . . . . 7 61 5.1. Authentication Chunk (AUTH) . . . . . . . . . . . . . . . 8 62 6. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 9 63 6.1. Establishment of an association shared key . . . . . . . . 9 64 6.2. Sending authenticated chunks . . . . . . . . . . . . . . . 10 65 6.3. Receiving authenticated chunks . . . . . . . . . . . . . . 11 66 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 67 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 68 8.1. A New Chunk Type . . . . . . . . . . . . . . . . . . . . . 14 69 8.2. Three New Parameter Types . . . . . . . . . . . . . . . . 14 70 8.3. A New Error Cause . . . . . . . . . . . . . . . . . . . . 14 71 8.4. A New Table For HMAC Identifiers . . . . . . . . . . . . . 15 72 9. Security Considerations . . . . . . . . . . . . . . . . . . . 15 73 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 74 11. Normative References . . . . . . . . . . . . . . . . . . . . . 16 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17 76 Intellectual Property and Copyright Statements . . . . . . . . . . 18 78 1. Introduction 80 SCTP uses 32 bit verification tags to protect itself against blind 81 attackers. These values are not changed during the lifetime of an 82 SCTP association. 84 Looking at new SCTP extensions there is the need to have a method of 85 proving that an SCTP chunk(s) was really sent by the original peer 86 that started the association and not by a malicious attacker. 88 Using TLS as defined in RFC3436 [6] does not help here because it 89 only secures SCTP user data. 91 Therefore an SCTP extension is presented which provides a mechanism 92 for deriving shared keys for each association. These association 93 shared keys are derived from endpoint pair shared keys, which are 94 configured and might be empty, and data which is exchanged during the 95 SCTP association setup. 97 The extension presented in this document allows an SCTP sender to 98 sign chunks using shared keys between the sender and receiver. The 99 receiver can then verify that the chunks are sent from the sender and 100 not from a malicious attacker as long as the attacker does not know 101 an association shared key. 103 2. Conventions 105 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 106 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 107 "OPTIONAL", when they appear in this document, are to be interpreted 108 as described in RFC2119 [3]. 110 3. New Parameter Types 112 This section defines the new parameter types that will be used to 113 negotiate the authentication during association setup. Table 1 114 illustrates the new parameter types. 116 +----------------+------------------------------------------------+ 117 | Parameter Type | Parameter Name | 118 +----------------+------------------------------------------------+ 119 | 0x8002 | Random Parameter (RANDOM) | 120 | 0x8003 | Chunk List Parameter (CHUNKS) | 121 | 0x8004 | Requested HMAC Algorithm Parameter (HMAC-ALGO) | 122 +----------------+------------------------------------------------+ 123 Table 1 125 It should be noted that the parameter format requires the receiver to 126 ignore the parameter and continue processing if it is not understood. 127 This is accomplished as described in RFC2960 [5] section 3.2.1. by 128 the use of the upper bits of the parameter type. 130 3.1. Random Parameter (RANDOM) 132 This parameter is used to carry an arbitrary length random number. 134 0 1 2 3 135 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 136 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 137 | Parameter Type = 0x8002 | Parameter Length | 138 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 139 | | 140 \ Random Number / 141 / \ 142 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 144 Figure 1 146 Parameter Type: 2 bytes (unsigned integer) 147 This value MUST be set to 0x8002. 149 Parameter Length: 2 bytes (unsigned integer) 150 This value is the length of the Random Number in bytes plus 4. 152 Random Number: n bytes (unsigned integer) 153 This value represents an arbitrary Random Number in network byte 154 order. 156 The RANDOM parameter MUST be included once in the INIT or INIT-ACK 157 chunk if the sender wants to send or receive authenticated chunks. 159 3.2. Chunk List Parameter (CHUNKS) 161 This parameter is used to specify which chunk types are required to 162 be sent authenticated by the peer. 164 0 1 2 3 165 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 166 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 167 | Parameter Type = 0x8003 | Parameter Length | 168 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 169 | Chunk Type 1 | Chunk Type 2 | Chunk Type 3 | Chunk Type 4 | 170 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 171 / / 172 \ ... \ 173 / / 174 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 175 | Chunk Type n | Padding | 176 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 178 Figure 2 180 Parameter Type: 2 bytes (unsigned integer) 181 This value MUST be set to 0x8003. 183 Parameter Length: 2 bytes (unsigned integer) 184 This value is the number of listed Chunk Types plus 4. 186 Chunk Type n: 1 byte (unsigned integer) 187 Each Chunk Type listed is required to be authenticated when sent 188 by the peer. 190 The CHUNKS parameter MUST be included once in the INIT or INIT-ACK 191 chunk if the sender wants to receive authenticated chunks. Its 192 maximum length is 260 bytes. 194 The chunk types for INIT, INIT-ACK, SHUTDOWN-COMPLETE and AUTH chunks 195 MUST NOT be listed in the CHUNKS parameter. However, if a CHUNKS 196 parameter is received then the types for INIT, INIT-ACK, SHUTDOWN- 197 COMPLETE and AUTH chunks MUST be ignored. 199 3.3. Requested HMAC Algorithm Parameter (HMAC-ALGO) 201 This parameter is used to list the HMAC identifiers the peer MUST 202 use. 204 0 1 2 3 205 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 206 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 207 | Parameter Type = 0x8004 | Parameter Length | 208 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 209 | HMAC Identifier 1 | HMAC Identifier 2 | 210 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 211 / / 212 \ ... \ 213 / / 214 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 215 | HMAC Identifier n | Padding | 216 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 218 Figure 3 220 Parameter Type: 2 bytes (unsigned integer) 221 This value MUST be set to 0x8004. 223 Parameter Length: 2 bytes (unsigned integer) 224 This value is the number of HMAC identifiers multiplied by 2 plus 225 4. 227 HMAC Identifier n: 2 bytes (unsigned integer) 228 The values expressed are a list of HMAC identifiers that may be 229 used by the peer. The values are listed by preference, with 230 respect to the sender, where the first HMAC identifier listed is 231 the one most preferable to the sender. 233 The HMAC-ALGO parameter MUST be included once in the INIT or INIT-ACK 234 chunk if the sender wants to send or receive authenticated chunks. 236 The following Table 2 shows the currently defined values for HMAC 237 identifiers. 239 +-----------------+--------------------------+ 240 | HMAC Identifier | Message Digest Algorithm | 241 +-----------------+--------------------------+ 242 | 0 | Reserved | 243 | 1 | SHA-1 defined in [6] | 244 | 3 | SHA-256 defined in [6] | 245 +-----------------+--------------------------+ 247 Table 2 249 Every endpoint supporting SCTP chunk authentication MUST support the 250 HMAC based on the SHA-1 algorithm. 252 4. New Error Cause 254 This section defines a new error cause that will be sent if an AUTH 255 chunk is received with an unsupported HMAC identifier. Table 3 256 illustrates the new error cause. 258 +------------+-----------------------------+ 259 | Cause Code | Error Cause Name | 260 +------------+-----------------------------+ 261 | 0x0105 | Unsupported HMAC Identifier | 262 +------------+-----------------------------+ 264 Table 3 266 4.1. Unsupported HMAC Identifier error cause 268 This error cause is used to indicate that an AUTH chunk was received 269 with an unsupported HMAC Identifier. 271 0 1 2 3 272 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 273 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 274 | Cause Code = 0x0105 | Cause Length = 6 | 275 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 276 | HMAC Identifier | Padding | 277 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 279 Figure 4 281 Cause Code: 2 bytes (unsigned integer) 282 This value MUST be set to 0x0105. 284 Cause Length: 2 bytes (unsigned integer) 285 This value MUST be set to 6. 287 HMAC Identifier: 2 bytes (unsigned integer) 288 This value is the HMAC Identifier which is not supported. 290 5. New Chunk Type 292 This section defines the new chunk type that will be used to 293 authenticate chunks. Table 4 illustrates the new chunk type. 295 +------------+-----------------------------+ 296 | Chunk Type | Chunk Name | 297 +------------+-----------------------------+ 298 | 0x0F | Authentication Chunk (AUTH) | 299 +------------+-----------------------------+ 301 Table 4 303 It should be noted that the AUTH-chunk format requires the receiver 304 to ignore the chunk if it is not understood and silently discard all 305 chunks that follow. This is accomplished as described in RFC2960 [5] 306 section 3.2. by the use of the upper bits of the chunk type. 308 5.1. Authentication Chunk (AUTH) 310 This chunk is used to hold the result of the HMAC calculation. 312 0 1 2 3 313 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 314 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 315 | Type = 0x0F | Flags=0 | Length | 316 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 317 | Shared Key Identifier | HMAC Identifier | 318 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 319 | | 320 \ HMAC / 321 / \ 322 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 324 Figure 5 326 Type: 1 byte (unsigned integer) 327 This value MUST be set to 0x0F for all AUTH-chunks. 329 Flags: 1 byte (unsigned integer) 330 SHOULD be set to zero on transmit and MUST be ignored on receipt. 332 Length: 2 bytes (unsigned integer) 333 This value holds the length of the HMAC in bytes plus 8. 335 Shared Key Identifier: 2 bytes (unsigned integer) 336 This value describes which endpoint pair shared key is used. 338 HMAC Identifier: 2 bytes (unsigned integer) 339 This value describes which message digest is being used. Table 2 340 shows the currently defined values. 342 HMAC: n bytes (unsigned integer) 343 This hold the result of the HMAC calculation. 345 The control chunk AUTH MUST NOT appear more than once in an SCTP 346 packet. All control and data chunks which are placed after the AUTH 347 chunk in the packet are sent in an authenticated way. Those chunks 348 placed in a packet before the AUTH chunk are not authenticated. 349 Please note that DATA chunks can not appear before control chunks in 350 an SCTP packet. 352 6. Procedures 354 6.1. Establishment of an association shared key 356 An SCTP endpoint willing to receive or send authenticated chunks MUST 357 send one RANDOM parameter in its INIT or INIT-ACK chunk. The RANDOM 358 parameter MUST contain a 32 byte random number. If the random number 359 is not 32 byte long the association MUST be aborted. The ABORT chunk 360 SHOULD contain the error cause 'Protocol Violation'. In case of INIT 361 collision, the rules governing the handling of this random number 362 follow the same pattern as those for the Verification Tag, as 363 explained in section 5.2.4 of RFC2960 [5]. Therefore each endpoint 364 knows its own random number and the peer's random number after the 365 association has been established. 367 An SCTP endpoint has a list of chunks it only accepts if they are 368 received in an authenticated way. This list is included in the INIT 369 and INIT-ACK and MAY be omitted if it is empty. Since this list does 370 not change during the lifetime of there is no problem in case of INIT 371 collision. 373 Each SCTP endpoint MUST include in the INIT and INIT-ACK a HMAC-ALGO 374 parameter containing a list of HMAC Identifiers it requests the peer 375 to use. The receiver of a HMAC-ALGO parameter SHOULD use the first 376 listed algorithm it supports. The HMAC algorithm based on SHA-1 MUST 377 be supported and included in the HMAC-ALGO parameter. An SCTP 378 endpoint MUST NOT change the parameters listed in the HMAC-ALGO 379 parameter during the lifetime of the endpoint. 381 Both endpoints of an association MAY have endpoint pair shared keys 382 which are byte vectors and pre-configured or established by another 383 mechanism. They are identified by the shared key identifier. If no 384 endpoint pair shared keys are preconfigured or established by another 385 mechanism an empty byte vector is used. 387 The RANDOM parameter, the CHUNKS parameter and the HMAC-ALGO 388 parameter sent by each endpoint are concatenated as byte vectors. 390 Parameters which were not sent are simply omitted from the 391 concatenation process. The resulting two vectors are called the two 392 key numbers. 394 From the endpoint pair shared keys and the key numbers the 395 association shared keys are computed. This is performed by selecting 396 the smaller key number and concatenating it to the endpoint pair 397 shared key, and then concatenating the larger of the key numbers to 398 that. If both key numbers are equal, then the concatenation order is 399 the endpoint shared key, followed by the key number with the shorter 400 length, followed by the key number with the longer length. If the 401 key number lengths are the same, then they may be concatenated to the 402 endpoint pair key in any order. The concatenation is performed on 403 byte vectors representing all numbers in network byte order. The 404 result is the association shared key. 406 6.2. Sending authenticated chunks 408 Endpoints MUST send all requested chunks authenticated where this has 409 been requested by the peer. The other chunks MAY be sent 410 authenticated or not. If endpoint pair shared keys are used, one of 411 them MUST be selected for authentication. 413 To send chunks in an authenticated way, the sender MUST include these 414 chunks after an AUTH chunk. This means that a sender MUST bundle 415 chunks in order to authenticate them. 417 If the endpoint has no endpoint shared key for the peer, it MUST use 418 Shared Key Identifier 0 with an empty endpoint pair shared key. 420 The sender MUST calculate the MAC as described in RFC2104 [2] using 421 the hash function H as described by the MAC Identifier and the shared 422 association key K based on the endpoint pair shared key described by 423 the shared key identifier. The 'data' used for the computation of 424 the AUTH-chunk is given by Figure 6 and all chunks that are placed 425 after the AUTH chunk in the SCTP packet. 427 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 428 | Type = 0x0F | Flags=0 | Chunk Length | 429 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 430 | Shared Key Identifier | HMAC Identifier | 431 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 432 | | 433 \ 0 / 434 / \ 435 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 437 Figure 6 439 Please note that all fields are in network byte order and that the 440 field which will contain the complete HMAC is filled with zeroes. 441 The length of the field shown as 0 is the length of the HMAC 442 described by the HMAC Identifier. The padding of all chunks being 443 authenticated MUST be included in the HMAC computation. 445 The sender fills the HMAC into the HMAC field and sends the packet. 447 6.3. Receiving authenticated chunks 449 The receiver has a list of chunk types which it expects to be 450 received only after an AUTH-chunk. This list has been sent to the 451 peer during the association setup. It MUST silently discard these 452 chunks if they are not placed after an AUTH chunk in the packet. 454 The receiver MUST use the HMAC algorithm indicated in the HMAC 455 Identifier field. If this algorithm was not specified by the 456 receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk 457 during association setup, the AUTH chunk and all chunks after it MUST 458 be discarded and an ERROR chunk SHOULD be sent with the error cause 459 defined in Section 4.1. 461 If an endpoint with no shared key receives a Shared Key Identifier 462 other than 0, it MUST silently discard all authenticated chunks. If 463 the endpoint has at least one endpoint pair shared key for the peer, 464 it MUST use the key specified by the Shared Key Identifier if a key 465 has been configured for that Shared Key Identifier. If no endpoint 466 pair shared key has been configured for that Shared Key Identifier, 467 all authenticated chunks MUST be silently discarded. 469 The receiver now performs the same calculation as described for the 470 sender based on Figure 6. If the result of the calculation is the 471 same as given in the HMAC field, all chunks following the AUTH chunk 472 are processed. If the field does not match the result of the 473 calculation, all the chunks following the AUTH chunk MUST be silently 474 discarded. 476 It should be noted that if the receiver wants to tear down an 477 association in an authenticated way only, the handling of malformed 478 packets should be in tune with this. 480 An SCTP implementation has to maintain state for each SCTP 481 association. In the following we call this data structure the SCTP 482 transmission control block (STCB). 484 When an endpoint requires COOKIE-ECHO chunks to be authenticated some 485 special procedures have to be followed because the reception of an 486 COOKIE-ECHO chunk might result in the creation of an SCTP 487 association. If the receiver does not find a STCB for a packet 488 containing an AUTH chunk as a first chunk and a COOKIE-ECHO chunk as 489 the second chunk and possibly more chunks after them, the receiver 490 MUST authenticate the chunks by using the random numbers included in 491 the COOKIE-ECHO, and possibly the local shared secret. If 492 authentication fails then the packet is discarded. If the 493 authentication is successful the COOKIE-ECHO and all chunks after the 494 COOKIE-ECHO MUST be processed. If the receiver has a STCB, it MUST 495 process the AUTH chunk as described above using the STCB from the 496 existing association to authenticate the COOKIE-ECHO chunk and all 497 chunks after it. 499 If the receiver does not find a STCB for a packet containing an AUTH 500 chunk as the first chunk and not a COOKIE-ECHO chunk as the second 501 chunk, it MUST use the chunks after the AUTH chunk to look up an 502 existing association. If no association is found, the packet MUST be 503 considered as out of the blue. The out of the blue handling MUST be 504 based on the packet without taking the AUTH chunk into account. If 505 an association is found, it MUST process the AUTH chunk using the 506 STCB from the existing association as described earlier. 508 If the receiver of the packet does not have a STCB when it needs to 509 process the AUTH chunk, it MUST ignore the AUTH chunk. This applies 510 to a packet containing an AUTH chunk as a first chunk and an COOKIE- 511 ECHO chunk as the second chunk received in the CLOSED state. If the 512 receiver has a STCB, it MUST process the AUTH chunk as described 513 above. 515 Requiring ABORT chunks and COOKIE-ECHO chunks to be authenticated 516 makes it impossible for an attacker to bring down or restart an 517 association as long as the attacker does not know the association 518 shared key. But it should also be noted that if an endpoint accepts 519 ABORT chunks only in an authenticated way, it may take longer to 520 detect that the peer is no longer available. If an endpoint accepts 521 COOKIE-ECHO chunks only in an authenticated way, the restart 522 procedure does not work, because the restarting end-point most likely 523 does not know the association shared key of the old association to be 524 restarted. However, if the restarting end-point does know the old 525 association shared key he can send successfully the COOKIE-ECHO chunk 526 in a way that it is accepted by the peer by using this old 527 association shared key for the packet containing the AUTH chunk. 528 After this operation both end-points have to use the new association 529 shared key. 531 If a server has an endpoint pair shared key with some clients it can 532 request the COOKIE_ECHO chunk to be authenticated and can ensure that 533 only associations from client with a correct endpoint pair shared key 534 are accepted. 536 Furthermore it is important that the cookie contained in an INIT-ACK 537 chunk and in a COOKIE-ECHO chunk MUST NOT contain the end-point pair 538 shared key. 540 7. Examples 542 This section gives examples of message exchanges for association 543 setup. 545 The simplest way of using the extension described in this document is 546 given by the following message exchange. 548 ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> 549 <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- 550 -------------------- COOKIE-ECHO --------------------> 551 <-------------------- COOKIE-ACK --------------------- 553 Please note that the CHUNKS parameter is optional in the INIT and 554 INIT-ACK. 556 If the server wants to receive DATA chunks in an authenticated way, 557 the following message exchange is possible: 559 ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> 560 <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- 561 --------------- COOKIE-ECHO; AUTH; DATA -------------> 562 <----------------- COOKIE-ACK; SACK ------------------ 564 Please note that if the endpoint pair shared key depends on the 565 client and the server and that it is only known by the upper layer 566 this message exchange requires an upper layer intervention between 567 the processing of the COOKIE-ECHO chunk (COMMUNICATION-UP 568 notification followed by the presentation of the endpoint pair shared 569 key by the upper layer to the SCTP stack) and the processing of the 570 AUTH and DATA chunk at the server side. If this intervention is not 571 possible due to limitations of the API (for example the socket API) 572 the server might discard the AUTH and DATA chunk making a 573 retransmission of the DATA chunk necessary. If the same endpoint 574 pair shared key is used for multiple endpoints and does not depend on 575 the client this intervention might not be necessary. 577 8. IANA Considerations 579 [NOTE to RFC-Editor: 581 "RFCXXXX" is to be replaced by the RFC number you assign this 582 document. 584 ] 586 This document (RFCXXX) is the reference for all registrations 587 described in this section. All registrations need to be listed in 588 the document available at sctp-parameters [8]. The suggested changes 589 are described below. 591 8.1. A New Chunk Type 593 A chunk type for the AUTH chunk has to be assigned by IANA. It is 594 suggested to use the value given in Table 4. This requires an 595 additional line in the "CHUNK TYPES" table of sctp-parameters [8]: 597 CHUNK TYPES 599 ID Value Chunk Type Reference 600 ----- ---------- --------- 601 15 Authentication Chunk (AUTH) [RFCXXXX] 603 8.2. Three New Parameter Types 605 Parameter types have to be assigned for the RANDOM, CHUNKS, and HMAC- 606 ALGO parameter by IANA. It is suggested to use the values given in 607 Table 1. This requires two modifications of the "CHUNK PARAMETER 608 TPYES" tables in sctp-parameters [8]: The first change is the 609 addition of three new lines to the "INIT Chunk Parameter Types" 610 table: 612 Chunk Parameter Type Value 613 -------------------- ----- 614 Random 32770 (0x8002) 615 Chunk List 32771 (0x8003) 616 Requested HMAC Algorithm Parameter 32772 (0x8004) 618 The second required change is the addition of the same three lines to 619 the to the "INIT ACK Chunk Parameter Types" table. 621 8.3. A New Error Cause 623 An error cause for the Unsupported HMAC Identifier error cause has to 624 be assigned. It is suggested to use the value given in Table 3. 625 This requires an additional line of the "CAUSE CODES" table in sctp- 626 parameters [8]: 628 VALUE CAUSE CODE REFERENCE 629 ----- ---------------- --------- 630 261 (0x0105) Unsupported HMAC Identifier RFCXXXX 632 8.4. A New Table For HMAC Identifiers 634 HMAC Identifiers have to be maintained by IANA. Three initial values 635 should be assigned by IANA as described in Table 2. This requires a 636 new table "HMAC IDENTIFIERS" in sctp-parameters [8]: 638 HMAC Identifier Message Digest Algorithm REFERENCE 639 --------------- ------------------------ --------- 640 0 Reserved RFCXXXX 641 1 SHA-1 RFCXXXX 642 3 SHA-256 RFCXXXX 644 For registering at IANA a new HMAC Identifier in this table a request 645 has to be made to assign such a number. This number must be unique 646 and a message digest algorithm usable with the HMAC defined in 647 RFC2104 [2] MUST be specified. The "Specification Required" policy 648 of RFC2434 [4] MUST be applied. 650 9. Security Considerations 652 Without using endpoint shared keys this extension only protects 653 against modification or injection of authenticated chunks by 654 attackers who did not capture the initial handshake setting up the 655 SCTP association. 657 If an endpoint pair shared key is used even a true man in the middle 658 cannot inject chunks which are required to be authenticated even if 659 he intercepts the initial message exchange. The endpoint also knows 660 that it is accepting authenticated chunks from a peer who knows the 661 endpoint pair shared key. 663 The establishment of endpoint pair shared keys is out of scope of 664 this document. Other mechanisms can be used like using TLS or manual 665 configuration. 667 When an endpoint accepts COOKIE-ECHO chunks only in an authenticated 668 way the restart procedure does not work. Neither an attacker nor a 669 restarted end-point not knowing the association shared key can 670 perform an restart. However, if the association shared key is known, 671 it is possible to restart the association. 673 Because SCTP has already a mechanism built-in that handles the 674 reception of duplicated chunks, the presented solution makes use of 675 this functionality and does not provide a method to avoid replay 676 attacks by itself. Of course, this only works within each SCTP 677 association. Therefore a separate shared key is used for each SCTP 678 association to handle replay attacks covering multiple SCTP 679 associations. 681 Each endpoint presenting a list of more than one element in the HMAC- 682 ALGO parameter must be prepared that the peer uses the weakest 683 algorithm listed. 685 When an endpoint pair uses non-NULL endpoint pair shared keys and one 686 of the endpoints still accepts a NULL key an attacker who captured 687 the initial handshake can still inject or modify authenticated chunks 688 by using the NULL key. 690 10. Acknowledgments 692 The authors wish to thank Sascha Grau, Ivan Arias Rodriguez, Irene 693 Ruengeler, and Magnus Westerlund for their invaluable comments. 695 11. Normative References 697 [1] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, 698 April 1992. 700 [2] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing 701 for Message Authentication", RFC 2104, February 1997. 703 [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement 704 Levels", BCP 14, RFC 2119, March 1997. 706 [4] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA 707 Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. 709 [5] Stewart, R., Xie, Q., Morneault, K., Sharp, C., Schwarzbauer, 710 H., Taylor, T., Rytina, I., Kalla, M., Zhang, L., and V. Paxson, 711 "Stream Control Transmission Protocol", RFC 2960, October 2000. 713 [6] Jungmaier, A., Rescorla, E., and M. Tuexen, "Transport Layer 714 Security over Stream Control Transmission Protocol", RFC 3436, 715 December 2002. 717 [7] National Institute of Standards and Technology, "Secure Hash 718 Standard", FIPS PUB 180-2, August 2002, 719 . 722 [8] 724 Authors' Addresses 726 Michael Tuexen 727 Muenster Univ. of Applied Sciences 728 Stegerwaldstr. 39 729 48565 Steinfurt 730 Germany 732 Email: tuexen@fh-muenster.de 734 Randall R. Stewart 735 Cisco Systems, Inc. 736 4875 Forest Drive 737 Suite 200 738 Columbia, SC 29206 739 USA 741 Email: rrs@cisco.com 743 Peter Lei 744 Cisco Systems, Inc. 745 8735 West Higgins Road 746 Suite 300 747 Chicago, IL 60631 748 USA 750 Phone: 751 Email: peterlei@cisco.com 753 Eric Rescorla 754 RTFM, Inc. 755 2064 Edgewood Drive 756 Palo Alto, CA 94303 757 USA 759 Phone: +1 650-320-8549 760 Email: ekr@rtfm.com 762 Full Copyright Statement 764 Copyright (C) The IETF Trust (2007). 766 This document is subject to the rights, licenses and restrictions 767 contained in BCP 78, and except as set forth therein, the authors 768 retain all their rights. 770 This document and the information contained herein are provided on an 771 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 772 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 773 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 774 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 775 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 776 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 778 Intellectual Property 780 The IETF takes no position regarding the validity or scope of any 781 Intellectual Property Rights or other rights that might be claimed to 782 pertain to the implementation or use of the technology described in 783 this document or the extent to which any license under such rights 784 might or might not be available; nor does it represent that it has 785 made any independent effort to identify any such rights. Information 786 on the procedures with respect to rights in RFC documents can be 787 found in BCP 78 and BCP 79. 789 Copies of IPR disclosures made to the IETF Secretariat and any 790 assurances of licenses to be made available, or the result of an 791 attempt made to obtain a general license or permission for the use of 792 such proprietary rights by implementers or users of this 793 specification can be obtained from the IETF on-line IPR repository at 794 http://www.ietf.org/ipr. 796 The IETF invites any interested party to bring to its attention any 797 copyrights, patents or patent applications, or other proprietary 798 rights that may cover technology that may be required to implement 799 this standard. Please address the information to the IETF at 800 ietf-ipr@ietf.org. 802 Acknowledgment 804 Funding for the RFC Editor function is provided by the IETF 805 Administrative Support Activity (IASA).